Microsoft security tools for product installation seem minimalistic when trying to set up Kerberos security. Kerberos is used on many implementations of SharePoint, PerformancePoint, Reporting Services, etc. It is required when you do a “double hop” such as between a SharePoint server and a SSRS (SQL Server Reporting Services) server. There are some good descriptions of how to set up Constrained Delegation (a more restrictive type of Kerberos delegation) for some products. An example of this can be seen at TechNet for PerformancePoint Server.

Since most of us only set up security like this occasionally, there really should be a tool to help clients with the setup. This post is dedicated to proposing such a tool. It is assumed that you will have some background with Kerberos Constrained Delegation prior to reading this post. It is not meant to be a comprehensive guide in how to set up security. I will spend some time in the next few blog posts to describe various tools to help you troubleshoot Kerberos issues once it is configured.

The Basics for a Tool (Example)

For the sake of this example, we will have three servers. The front-end SharePoint web server will be called ServerMOSS. This server will have an Application pool identity of (domain\MOSS2007webapp) for the SharePoint application pool. The second server is a front-end SSRS server and will be called ServerSSRS. ServerSSRS will have an Application pool identity of (domain\SSRSwebapp). We would like reports from the ServerSSRS to be viewed via ServerMOSS. The third (back-end) SQL Server database server will be called ServerSQL. This server will have the “SQL Server” service running and configured with a domain user (domain\SQLService). It contains all of the databases for this example. This is an example of the Kerberos trust relationship that the tool would have to be able to set up.

Server Oriented Information Needed

Machine Type

Front-End Server – MOSS

Description

Machine Name

ServerMOSS

May have multiple machines

DNS Alias Used (A record) / host header

None

App Pool / Service Account

domain\MOSS2007webapp

SPNs (or URLs) Needed

http/ServerMOSS

SPNs vary based on application needs

http/ServerMOSS.domain.com

Machine Type

Front-End Server – SSRS

Description

Machine Name

ServerSSRS

May have multiple machines

DNS Alias Used (A record) / host header

None

App Pool / Service Account

domain\SSRSwebapp

SPNs (or URLs) Needed

http/ServerSSRS

SPNs vary based on application needs

http/ServerSSRS.domain.com

Machine Type

Back-End Server – Database for SSRS & MOSS

Description

Machine Name

ServerSQL

May have multiple machines

DNS Alias Used (A record) / host header

None

App Pool / Service Account

domain\SQLService

SPNs (or URLs) Needed

MSSQLSvc/ServerSQL

SPNs vary based on application needs

MSSQLSvc/ServerSQL:1433

Std Port Example (port # configurable)

MSSQLSvc/ServerSQL.domain.com

With Domain

MSSQLSvc/ServerSQL.domain.com:1433

With Domain and Std Port

Delegation Information Needed

Account

Delegates to Account

domain\MOSS2007webapp

domain\SSRSwebapp

domain\SSRSwebapp

domain\SQLService

Number of delegations varies.

Other Setup Items

Graphical tool for the associations

Set up of users in Active Directory

Configure the Identity for the application pool(s),

Check for application pool identity to be in proper groups (like IIS_WPG)